Monday, 12 September 2011

Guide to Changing the Windows XP Product Key

Step 1 : Click on Start and then Run


The main reason you might want change the Windows XP product key is because your key is pirated or otherwise incorrect but you don't want to reinstall Windows XP to activate your new legal product key.

Note: I created this step by step guide in addition to my original How to Change the Windows XP Product Key Code guide. There are several very specific steps in this process, many of which involve editing the Windows Registry, so this visual tutorial should help clear up any confusion.

Changing your Windows XP product key should take you less than 15 minutes.

The first thing you need to do is click on Start and then Run....


Step 2 : Open Registry Editor

Now that the Run application is open, type regedit and then click the OK button.

The regedit command will open the Registry Editor application, used to edit the Windows Registry.

Step 3 : Navigate to the WPAEvents Registry Subkey


Before Continuing: Please be aware that changes to the Windows Registry are made in upcoming steps. Take great care in making only the changes described. I recommend that you backup the registry keys you're modifying in these steps as an extra precaution.

First, locate the HKEY_LOCAL_MACHINE folder under My Computer and click on the (+) sign next the folder name to expand the folder.

Continue to expand folders until you reach the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Current Version\WPAEvents registry key.

Click on the WPAEvents folder once.


Step 4 : Click to Modify the OOBETimer Registry Value



In the results that appear in the window on the right, locate OOBETimer.

Right-click on the OOBETimer entry and then click Modify from the menu that drops down.


Step 5 : Select Part of the OOBETimer Value




The screen you should see now is the Edit Binary Value window with OOBETimer in the "Value name:" field.

As part of the process to change your Windows XP product key, you'll need to deactivate Windows XP. Deactivating Windows XP is accomplished by changing the value of OOBETimer, something you're about to do.

Select any part of the OOBETimer value by double-clicking on it.

Note: I've distorted much of the hexadecimal series for OOBETimer in this and other screenshots but you'll see several letters and numbers on your computer.


Step 6 : Change the OOBETimer Value


Enter any value you want over the selection you made in the previous step.

Note: The OOBETimer value just needs to change - it doesn't matter what it's changed to. As you can see in the screenshot above, I changed the first part of the value to 11 from FF.

Click the OK button to confirm the change.


Step 7 : Close Registry Editor


As you can see, the OOBETimer value has changed.

You can now close Registry Editor. We're done making changes in the registry.


Step 8 : Click on Start and then Run



We're now going to open another program via a command.

Click on Start and then Run....


Step 9 : Open the Windows XP Activation Wizard



Now that the Run application is open, type the following command exactly:

%systemroot%\system32\oobe\msoobe.exe /a

Now click the OK button.

Note: In the command above, the only space is between "exe" and "/a". Also, all of the o's are letters - there are no zeros in the command.

This command opens the Windows XP Activation Wizard where we'll change the XP product key.


Step 10 : Choose the Telephone Activation Option



You should now see the Let's activate Windows window.

Choose the Yes, I want to telephone a customer service representative to activate Windows radio button and then click the Next button.

Note: You won't actually be activating Windows XP via the telephone at this time. This is just the step you have to take right now to get to the area where you can change the Windows XP product key.

Important: If you don't see the screen above but instead see a message notifying you that Windows XP is already activated, you may not have properly changed the OOBETimer value in which case you should start this process over.

If that still doesn't work, which is not uncommon, you should try changing the Windows XP product key with Winkeyfinder, a popular free product key finder program that can also change the XP product key. I like this manual process better since there's nothing to download but if it doesn't work for you, give Winkeyfinder a try.


Step 11 : Click the Change Product Key Button



Click the Change Product Key button at the bottom of this window.

Note: Don't fill out anything on this screen since this is part of a Windows XP activation process, something you may or may not be doing after your product key is changed.


Step 12 : Enter the New Windows XP Product Key



Locate your valid Windows XP product key and enter it here.

After entering the product key, click the Update button.

Note: The product key in the screenshot above is not a valid Windows XP product key. It is provided for example only.


Step 13 : Wait While the New Installation ID is Generated



After updating your Windows XP product key, the Windows XP Activation Wizard will generate a new Installation ID which will be used to activate Windows XP.

This screen is only momentarily displayed. If you don't see it, don't worry. It probably just happened too quickly to notice.


Step 14 : Reactivate Windows XP


Now that your product key is changed, you'll need to reactivate Windows XP.

You should now be seeing the Activate Windows by phone screen. This is one method of activating Windows which you're more than welcome to use.

If you click the Back button, you'll see that you have the option of activating over the Internet - a much easier and faster way to activate Windows XP assuming you have an Internet connection on the computer.

If you'd rather postpone activating Windows XP until a later date, you can click the Remind me later button on this window or choose the No, remind me to activate Windows every few days radio button on the main activation screen.


Step 15 : Confirm Reactivation of Windows XP



After activating Windows XP, you can verify that activation was successful by repeating Step 8 and then Step 9.

The Windows Product Activation window that appears in place of Step 10 should say "Windows is already activated. Click OK to exit."


Friday, 12 August 2011

How to remove Facebook Chat Virus “hi. how are you?” AKA KOOBFACE

How to remove Facebook Chat Virus “hi. how are you?” AKA KOOBFACE

Sample Chat :
“hi. how are you?”
*If you reply , it will sent you :*
“Wanna laugh? :)
*If you reply again , it will sent you :*
“It is you on the video ?)) want to see?)”
*If you reply again , it will sent you the virus link*

The sample website :

Will my computer get infected once I clicked the link ?
No ! Unless you download some files from the link. (Currently they use drive-by method)

HOW TO FIX!
If your computer is infected and can’t access to Facebook , please refer to Method 1.

Method 1 :

Windows operating systems contain a file called ‘hosts’ that will force resolution of your domain name.

  1. Open the hosts file
    1. Go to the Start menu and choose Run. Type the following in the Run dialog box: Edit Host File
      1. For Windows NT and Windows 2000
        1. C:\winnt\system32\drivers\etc
      2. Windows XP, Windows Vista or Windows 7
        1. C:\Windows\System32\drivers\etc
    2. Click the OK button (This should open a window with several files in it.)
    3. Find the file called ‘hosts’ and double–click it. If prompted, specify that you would like to choose a program to open the file withfrom a list of programs.
      1. Choose ‘Notepad’ from the list of available programs.
  2. Edit and save the hosts file
    1. The contents of your hosts file should look something like this
    2. Find the line with the word facebook.com (example: “127.0.0.1 http://www.facebook.com” )
    3. Remove it.
    4. Close the hosts file and save it when prompted.

Method 2: [Source]

UPDATED : Try ComboFix ( http://www.combofix.org/ )

1.Start Task Manager
2.Kill these processes:
fbtre6.exe
mstre6.exe
Delete these registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”systray” = “c:\windows\mstre6.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”systray” = “C:\Windows\fbtre6.exe”
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating;
Method:
Launch the Registry Editor. Press the Start button and then click Run. Type in regedit into the Open: field. Then click on the OK button.
New window will be pop out and type regedit. click Ok
Find the virus file by following the below steps
HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > Current Version > Run > ”systray”
To make sure before you delete, delete the value that consist “c:\windows\mstre6.exe” and press delete.
PERHATIAN: JANGAN SEWENANG-WENANGNYA DELETE FAIL YANG ANDA TAK PASTI. LAPTOP/PC ANDA MUNGKIN TAK DAPAT START KALAU TERSALAH DELETE
Warning : DO NOT SIMPLY DELETE! YOU COMPUTER MAY NOT ABLE TO BOOT UP.
3 Delete these files:
C:\\Windows\\fbtre6.exe
C:\\Windows\\fmark2.dat
Still don’t understand how to use regedit?
More Detailed Guide :

More Info :
Clean your startup (msconfig), use ccleaner.
Run your virus scanner to make sure that the virus on your PC is removed.

If your account has been taken over and used to send spam, you should follow these steps immediately:

  • Reset your Facebook password. You can do this by clicking the “Forgot your password?” link on the login page or by going to the Account Settings page once logged in.
  • If you can’t reset your password because the email address you use to log in has changed, or if your account has been disabled, visit our help page.
  • Make sure you have up-to-date security software on your computer, run a scan, and remove any malicious files. If you don’t do this, and your computer is infected, your account may be taken over again. If you don’t yet have protection for your computer, you can download a complimentary six-month subscription of McAfee security software. Learn more on the Software tab.

Download :
CCleaner: http://www.piriform.com/ccleaner/download
Use this to clean up unneeded files (TEMP files, cookies, etc)

Malwarebytes: http://www.malwarebytes.org/mbam.php
This is a great anti malware software update then scan your PC one time a week at least.

SuperaAntiSpyware: http://www.superantispyware.com/download.html
This is an anti spyware software use this after MB once a week also.

How about use Anti-virus/malware to remove?
The virus/worm is now FUD. It need sometime for the antivirus company to update the definition to detect it.

FYI : The person who make this virus/worm also can make a new (FUD) virus files that can’t be detected.

VirusTotal Report

File name: Flash-Player.exe
Submission date: 2011-07-21 11:10:11 (UTC)
Result:11/ 43 (25.6%)



Tuesday, 28 June 2011

Virus in Windows System Registry

It's hard to remove the virus in the Windows System Registry, because it's not easy to find where the virus hides. Also, it's danger to edit the data inside the registry. If you enter or delete wrong key, data or value, Windows might be unable to run after that. Here we just show you how to check any unwanted program loaded into the memory when Windows start.

To change the registry data needs to run Microsoft Registry Editor - RegEdit.exe. You can click the Start Button, then select Run... item. When the Run Window will appear, then type 'RegEdit' into Open: textbox and click OK button.

You might be unable to RegEdit, because the virus blocks the doorway. In this case, you need to bring up your Windows in Safe Mode to run the RegEdit. Sometimes, you need to login the Administrator account. Therefore, make sure you know your Administrator account's password when you own the new computer.

Microsoft System Configuration Utility MSConfig.exe keeps entries of Start-Up programs. Besides that, System Registry has Run, RunOnce and RunOnceEx entry nodes to manage which program can run while Windows is starting.

First, you should check any starting programs inside the HEKY_LOCAL_MACHINE.

Go down to the node in HEKY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion, then look for program entry inside the Run, RunOnce and RunOnceEX. If you find something you don't know, then you type the program name .exe name into the following Search box to find out what's that. If the .exe name is the virus or spyware, then you can delete it.
It's same that you need to check any starting program inside the HEKY_CURRENT_USER.


Go down to the node in HEKY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion, then look for unwanted .exe programs inside the Run, RunOnce and RunOnceEX. If you find something, then delete them.

Some virus will restore the entry later or reboot, even you delete the entry from System Registry Editor. Those virus needs special tools to kill them.